Paul Yoder, Director of Cybersecurity, Humble ISD, Humble, TX
Data GovernanceInformation SecurityInformation TechnologySecurity

Information Security Data Governance

cxomagazine
By Paul Yoder, Director of Cybersecurity, Humble ISD, Humble, TX

Why it is important to help safeguard your data

                In this treacherous world of prolific data breaches and compromised companies, it is becoming ever so clear that it’s time to get serious about protecting your data. But you say, “We’re already deploying next-gen firewalls, endpoint protection, AI threat-hunting platforms and training users every year on cybersecurity awareness….what more can we possibly be doing???” Those are all excellent steps in creating a multi-layered info security program. However, while everyone is focused on the bad guys attacking you from the outside of your network, it is often the inside of your network that is most vulnerable – the “Trojan Horse” scenario, if you will. How do I know this? Experience. Many years of experience with data breaches. We spend millions of dollars every year poured into uber-sophisticated security toys to up our game with the adversaries that are out there trying to get into our networks – and yet, we remain vulnerable. Let me ask you some questions. Where is your data? And don’t say “in the cloud” or “in the data center you nitwit!” What I mean is, where is ALL of your data. The little silos you may have no clue about…the data squirreled away on USB sticks…the sensitive data that is leaking out of your organization every single day and no one has a clue about it. Yes – THAT data! OK, now who owns that data? And by that I mean who is the responsible guardian of those particular data silos? You don’t know you say? Well, join the club. You are in good company!

                Gartner analysts estimate that 80% of organizations that attempt to scale digital business through 2025 will fail because they don’t take a modern approach to data governance. Data governance is the method an enterprise uses to ensure the availability, integrity, security, and proper use of its data.. Some reasons why data governance programs can fail include:

Lack of executive support

Data governance projects might not have the tools, power, or guidance they need to be successful if top leadership does not openly support them.

People thinking IT owns the data

I guess you could chalk this up to “Risk Avoidance” – or people not wanting to be responsible for their own data.

Lack of communication and change management

Although Data Governance solutions necessitate process modifications, the expected advantages might not be evident without an effective communications plan.

Unclear goals

The program may not be clear up front about what it means and how its success should be measured.

How ironic that we pour so many resources into defending the corporate front gate, and then someone forgets to close the back door.

Cultural awareness and adoption

Cultural awareness and acceptance rank as the biggest barriers to data governance, according to nearly two-thirds of enterprises.

                Now that we know what some of the obstacles are to Data Governance, here are some real-world examples of scenarios that I have personally come across in my info security career to show you how easy it is to lose control of your data – even when you think you’re doing your due-diligence:

Scenario 1: A teacher takes a District-owned laptop home to do some remote work over the weekend. She is logged into the District network and leaves the laptop unattended for a short coffee break downstairs. Her son (who is a student in the same District) gains access to the District laptop and begins sharing Google drive folders with himself. This sparks a week-long investigation costing thousands of dollars in time spent on the investigation, and a lot of embarrassment for the teacher.

Scenario 2: A disgruntled employee at a Government R&D facility decides it might be a good idea to sell the entire staff directory (thousands of employees) to a data broker. After all, if they’re not getting compensated for adequately at their job, they might as well get a little extra income (at the facility’s expense) to make them feel better about the situation. Right?

Scenario 3: An IT Department Manager (you just CAN’T make this stuff up) decides it would be an absolutely bangin’ idea to post the sensitive root password list to a Google doc – after all, we should make it convenient for IT Staff to retrieve these complex passwords more easily to make their jobs a little more manageable. The hackers that gained access to the list wholeheartedly agreed! SCORE!!!

Scenario 4: A Department Head – having no idea of the power of Google shares – mistakenly shares a sensitive document with PII to the world. Luckily, with some very sophisticated DLP software, the share was caught in time and reversed before any real damage was done.

                How ironic that we pour so many resources into defending the corporate front gate, and then someone forgets to close the back door. I really hate it when that happens!

                So, what exactly constitutes an effective Data Governance program? Here are some starting points for you to consider:

  1. Get upper and middle management onboard with the concept of creating a Data Governance program. Without this, you are already dead-in-the-water. This will not only help establish the program, but help keep it fully watered and fed well into the future. I can’t tell you how many times I have felt resistance on this step. It’s just not a sexy topic and you need to spend some serious time on the presentation of this concept. Use fear-porn if needed.
  2. You absolutely need to find a serious DLP governance platform. It is absolutely insane to try to accomplish this manually (ask me how I know!). Your DLP solution should have a robust AI engine that is capable of finding data silos (wherever they may be) and be able to auto-classify them with labels to make assigning responsible guardians to specific data silos. It is even better if this solution can look at Application attributes as well, as application (such as in Google Workspace) have way too many liberties with your data. I was absolutely shocked when I found this out). Also, it should be capable of auto-blocking shares when it finds problematic instances (refer to Scenario 4 above!).
  3. Round this out with forming a data Governance Committee where you will be able to present your (absolutely horrific) findings, and begin to develop policies to prevent future vulnerabilities. This is also where you will be assigning Data Guardians to specific data silos. You might end up having a spirited meeting or two, but it will be all worth it in the end – promise!

                So, hopefully you have gained some actionable insights as to what a Data Governance program is, and what steps are necessary to take in order to bring it to fruition. I will admit that it is not the easiest thing in the world to undertake, but it definitely is one of the most satisfying things you can do to protect your data. Besides, the alternative (an internal data breach) is just not an option.